Best Practices for Watching the Watchers

Four questions that promote security and regulatory compliance in your enterprise

08/31/2010

by Philip Lieberman

Inside your data center it's the system administrators, DB admins, and IT managers who hold all the power -- controlling everything from employee access to the confidentiality of private customer data. So much power in the hands of a few individuals ought to be a scary prospect to organizations that depend upon IT to keep the business running and data secure.

The simple truth is that today virtually all IT staff enjoy anonymous, unaudited, 24/7 access to your data center applications, computers, and appliances through use of privileged account credentials. More IT auditors are beginning to notice that this lack of accountability has brought organizations out of compliance with key industry mandates -- SOX, PCI-DSS, HIPAA, and others. The bad guys have also taken notice, exploiting these all-powerful and often poorly secured credentials in many of the latest, headline-grabbing breaches that include the attacks on Google and other U.S. technology firms.

Organizations that are looking to advance IT governance and stay compliant should ask these four questions.

1. Have we changed our privileged account passwords lately?

Too often, security breaches exploit common and weak passwords used for administrative logins, privileged service accounts, and application-to-application communications. The legal requirements of mandates such as PCI DSS, HIPAA, Sarbanes-Oxley, and others now require that these powerful passwords be updated regularly and audited to prevent abuse. However, absent an automated solution, the recurring manual task of updating these credentials can rob your IT staff of the time needed for other projects. Since many C-level executives aren't aware of the risks introduced by unsecured privileged accounts, IT departments are prone to downplay the issue -- at least until auditors notice or the network falls prey to attack.

2. Does our IT staff support a culture of "least privilege"?

Put yourself in the shoes of an IT administrator and you'll see why it's easiest to use a single, anonymous, all-powerful login to complete routine tasks that don't necessarily require it. However, this approach can quickly spread the knowledge of the organization's most sensitive password secrets. Performing a routine duty with powerful credentials that aren't required for the job can turn a small human error into a costly service disruption.

3. Can we prove who had access, when, and for what purpose?

Unlike the credentials that end users provide for routine access, privileged logins aren't audited or controlled by today's identity access systems. This means that absent new controls, when someone uses a privileged account to copy or change a customer record, alter a database schema, or change the configuration of a network appliance, there's no audit trail and no proof of who, when, and why. Without a definitive audit trail, you could find it difficult to take the right recourse in the event of an illegal action or a costly human error.

4. When there's IT staff turnover, will our password secrets walk out the door?

Enterprise firewalls, intrusion detection devices, and endpoint security software do almost nothing to combat insider threats. Absent a culture of accountability over privileged access, departing IT staff could be tempted to take sensitive information with them. Furthermore, for the safety of the organization, the moment an IT employee changes job roles -- whether amicably or not -- all passwords that grant privileged access to systems, appliances, and applications must be changed.

In the event that questions arise about a departing employee's actions, it can be critically important to have an audit trail of privileged access in the days and weeks before the change in job role. You should know that best-in-class privileged identity management solutions continuously update passwords, audit, and report access, and authenticate directly with your existing directory services to allow or deny access the instant employee job roles change.

Seeing the Big Picture

Having worked with many organizations over the years, I've realized that shared passwords, seldom changed privileged credentials, and employees with too much access and too little accountability are the rule rather than the exception. The outcome is never good: embarrassing security breaches and costly IT audit failures. By asking the questions outlined above -- and taking these basic steps to address any shortcomings -- your organization can avoid a similar fate.

Philip Lieberman is president and CEO of Lieberman Software. You can reach him and learn more about Privileged Identity Management by contacting Lieberman Software.